doorkeeper-openid_connect 1.6.2 → 1.7.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +59 -1
- data/README.md +11 -0
- data/app/controllers/doorkeeper/authorizations_controller.rb +17 -0
- data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb +25 -19
- data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb +5 -1
- data/config/locales/en.yml +1 -0
- data/lib/doorkeeper/oauth/id_token_request.rb +8 -12
- data/lib/doorkeeper/oauth/id_token_response.rb +2 -0
- data/lib/doorkeeper/oauth/id_token_token_request.rb +2 -0
- data/lib/doorkeeper/oauth/id_token_token_response.rb +2 -0
- data/lib/doorkeeper/openid_connect.rb +26 -1
- data/lib/doorkeeper/openid_connect/claims/aggregated_claim.rb +2 -0
- data/lib/doorkeeper/openid_connect/claims/claim.rb +6 -4
- data/lib/doorkeeper/openid_connect/claims/distributed_claim.rb +2 -0
- data/lib/doorkeeper/openid_connect/claims/normal_claim.rb +2 -0
- data/lib/doorkeeper/openid_connect/claims_builder.rb +3 -1
- data/lib/doorkeeper/openid_connect/config.rb +20 -10
- data/lib/doorkeeper/openid_connect/engine.rb +2 -0
- data/lib/doorkeeper/openid_connect/errors.rb +4 -3
- data/lib/doorkeeper/openid_connect/helpers/controller.rb +60 -28
- data/lib/doorkeeper/openid_connect/id_token.rb +4 -2
- data/lib/doorkeeper/openid_connect/id_token_token.rb +2 -0
- data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb +25 -8
- data/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb +4 -2
- data/lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb +3 -1
- data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +24 -3
- data/lib/doorkeeper/openid_connect/oauth/token_response.rb +3 -1
- data/lib/doorkeeper/openid_connect/orm/active_record.rb +2 -0
- data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb +3 -1
- data/lib/doorkeeper/openid_connect/orm/active_record/request.rb +5 -3
- data/lib/doorkeeper/openid_connect/rails/routes.rb +3 -1
- data/lib/doorkeeper/openid_connect/rails/routes/mapper.rb +2 -0
- data/lib/doorkeeper/openid_connect/rails/routes/mapping.rb +2 -0
- data/lib/doorkeeper/openid_connect/response_mode.rb +30 -0
- data/lib/doorkeeper/openid_connect/response_types_config.rb +2 -2
- data/lib/doorkeeper/openid_connect/user_info.rb +2 -0
- data/lib/doorkeeper/openid_connect/version.rb +3 -1
- data/lib/doorkeeper/request/id_token.rb +2 -0
- data/lib/doorkeeper/request/id_token_token.rb +2 -0
- data/lib/generators/doorkeeper/openid_connect/install_generator.rb +4 -2
- data/lib/generators/doorkeeper/openid_connect/migration_generator.rb +3 -1
- data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb +19 -5
- data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +3 -2
- metadata +33 -34
- data/.gitignore +0 -8
- data/.ruby-version +0 -1
- data/.travis.yml +0 -34
- data/CONTRIBUTING.md +0 -45
- data/Gemfile +0 -11
- data/Rakefile +0 -24
- data/bin/console +0 -9
- data/bin/setup +0 -8
- data/doorkeeper-openid_connect.gemspec +0 -30
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ab0de01b3be4241280fd4846f9c38b4c915685918a6401e464dce609fb588ace
|
4
|
+
data.tar.gz: 999e38663483020d9c84b525f38842e0d9a5811c72ddfd04bdb7c86e1e018b2a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz: '
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '09f0860be72310e44989febad8997e4fce1a82bf8d2986cfa3dfe56a0c9e55414d74f19a6dae35636aa5871c5778baad7b8776627835a30bd356bbb251fc4e32'
|
7
|
+
data.tar.gz: d6d42d010bd3e216dd1f1c84d60f86b4944f43a64d48db2cd613fddb189c7ac6ef079b713a86dd0b95a3551756b15a4868287c1af836fc0ada87efc6e1efc630
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,64 @@
|
|
1
1
|
## Unreleased
|
2
2
|
|
3
|
-
|
3
|
+
## v1.7.3 (2020-07-06)
|
4
|
+
|
5
|
+
- [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
|
6
|
+
- [#112] Add grant_types_supported to discovery response
|
7
|
+
- [#114] Fix user_info endpoint when used in api mode
|
8
|
+
- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
|
9
|
+
- [#117] Fix migration template to use Rails migrations DSL for association.
|
10
|
+
- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
|
11
|
+
- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
|
12
|
+
|
13
|
+
## v1.7.2 (2020-05-20)
|
14
|
+
|
15
|
+
### Changes
|
16
|
+
|
17
|
+
- [#108] Add support for Doorkeeper 5.4
|
18
|
+
- [#103] Add support for end_session_endpoint
|
19
|
+
- [#109] Test against Ruby 2.7 & Rails 6.x
|
20
|
+
|
21
|
+
## v1.7.1 (2020-02-07)
|
22
|
+
|
23
|
+
### Upgrading
|
24
|
+
|
25
|
+
This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
|
26
|
+
|
27
|
+
For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
|
28
|
+
|
29
|
+
```ruby
|
30
|
+
class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
|
31
|
+
def up
|
32
|
+
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
|
33
|
+
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
|
34
|
+
end
|
35
|
+
|
36
|
+
def down
|
37
|
+
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
|
38
|
+
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
```
|
42
|
+
|
43
|
+
### Bugfixes
|
44
|
+
|
45
|
+
- [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
|
46
|
+
- [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
|
47
|
+
- [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
|
48
|
+
- [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
|
49
|
+
|
50
|
+
## v1.7.0 (2019-11-04)
|
51
|
+
|
52
|
+
### Changes
|
53
|
+
|
54
|
+
- [#85] This gem now requires Doorkeeper 5.2, Rails 5, and Ruby 2.4
|
55
|
+
|
56
|
+
## v1.6.3 (2019-09-24)
|
57
|
+
|
58
|
+
### Changes
|
59
|
+
|
60
|
+
- [#81] Allow silent authentication without user consent (thanks to @jarosan)
|
61
|
+
- Don't support Doorkeeper >= 5.2 due to breaking changes
|
4
62
|
|
5
63
|
## v1.6.2 (2019-08-09)
|
6
64
|
|
data/README.md
CHANGED
@@ -4,6 +4,8 @@
|
|
4
4
|
[![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
|
5
5
|
[![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
|
6
6
|
|
7
|
+
#### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
|
8
|
+
|
7
9
|
This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
|
8
10
|
|
9
11
|
OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
|
@@ -137,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
|
|
137
139
|
- Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
|
138
140
|
- Required to support the `max_age` and `prompt=login` parameters.
|
139
141
|
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
142
|
+
- `select_account_for_resource_owner`
|
143
|
+
- Defines how to trigger account selection to choose the current login user.
|
144
|
+
- Required to support the `prompt=select_account` parameter.
|
145
|
+
- The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
|
140
146
|
|
141
147
|
The following settings are optional:
|
142
148
|
|
@@ -150,6 +156,11 @@ The following settings are optional:
|
|
150
156
|
- Note that the OIDC specification mandates HTTPS, so you shouldn't change this
|
151
157
|
for production environments unless you have a really good reason!
|
152
158
|
|
159
|
+
- `end_session_endpoint`
|
160
|
+
- The URL that the user is redirected to after ending the session on the client.
|
161
|
+
- Used by implementations like https://github.com/IdentityModel/oidc-client-js.
|
162
|
+
- The block is executed in the controller's scope, so you have access to your route helpers.
|
163
|
+
|
153
164
|
### Scopes
|
154
165
|
|
155
166
|
To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
|
4
|
+
|
5
|
+
module Doorkeeper
|
6
|
+
class AuthorizationsController
|
7
|
+
module AuthorizationsExtension
|
8
|
+
private
|
9
|
+
|
10
|
+
def pre_auth_param_fields
|
11
|
+
super.append(:nonce)
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
Doorkeeper::AuthorizationsController.prepend AuthorizationsExtension
|
16
|
+
end
|
17
|
+
end
|
@@ -1,9 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OpenidConnect
|
3
5
|
class DiscoveryController < ::Doorkeeper::ApplicationController
|
4
6
|
include Doorkeeper::Helpers::Controller
|
5
7
|
|
6
|
-
WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
|
8
|
+
WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
|
7
9
|
|
8
10
|
def provider
|
9
11
|
render json: provider_response
|
@@ -30,21 +32,19 @@ module Doorkeeper
|
|
30
32
|
introspection_endpoint: oauth_introspect_url(protocol: protocol),
|
31
33
|
userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
|
32
34
|
jwks_uri: oauth_discovery_keys_url(protocol: protocol),
|
35
|
+
end_session_endpoint: openid_connect.end_session_endpoint.call,
|
33
36
|
|
34
37
|
scopes_supported: doorkeeper.scopes,
|
35
38
|
|
36
39
|
# TODO: support id_token response type
|
37
40
|
response_types_supported: doorkeeper.authorization_response_types,
|
38
|
-
response_modes_supported: [
|
39
|
-
|
40
|
-
token_endpoint_auth_methods_supported: [
|
41
|
-
'client_secret_basic',
|
42
|
-
'client_secret_post',
|
41
|
+
response_modes_supported: %w[query fragment],
|
42
|
+
grant_types_supported: grant_types_supported(doorkeeper),
|
43
43
|
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
],
|
44
|
+
# TODO: look into doorkeeper-jwt_assertion for these
|
45
|
+
# 'client_secret_jwt',
|
46
|
+
# 'private_key_jwt'
|
47
|
+
token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
|
48
48
|
|
49
49
|
subject_types_supported: openid_connect.subject_types_supported,
|
50
50
|
|
@@ -56,18 +56,24 @@ module Doorkeeper
|
|
56
56
|
'normal',
|
57
57
|
|
58
58
|
# TODO: support these
|
59
|
-
#'aggregated',
|
60
|
-
#'distributed',
|
59
|
+
# 'aggregated',
|
60
|
+
# 'distributed',
|
61
61
|
],
|
62
62
|
|
63
|
-
claims_supported: [
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
63
|
+
claims_supported: %w[
|
64
|
+
iss
|
65
|
+
sub
|
66
|
+
aud
|
67
|
+
exp
|
68
|
+
iat
|
69
69
|
] | openid_connect.claims.to_h.keys,
|
70
|
-
}
|
70
|
+
}.compact
|
71
|
+
end
|
72
|
+
|
73
|
+
def grant_types_supported(doorkeeper)
|
74
|
+
grant_types_supported = doorkeeper.grant_flows
|
75
|
+
grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
|
76
|
+
grant_types_supported
|
71
77
|
end
|
72
78
|
|
73
79
|
def webfinger_response
|
@@ -1,7 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OpenidConnect
|
3
5
|
class UserinfoController < ::Doorkeeper::ApplicationController
|
4
|
-
|
6
|
+
unless Doorkeeper.config.api_only
|
7
|
+
skip_before_action :verify_authenticity_token
|
8
|
+
end
|
5
9
|
before_action -> { doorkeeper_authorize! :openid }
|
6
10
|
|
7
11
|
def show
|
data/config/locales/en.yml
CHANGED
@@ -19,4 +19,5 @@ en:
|
|
19
19
|
resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
|
20
20
|
auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
|
21
21
|
reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
|
22
|
+
select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
|
22
23
|
subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OAuth
|
3
5
|
class IdTokenRequest
|
@@ -9,18 +11,18 @@ module Doorkeeper
|
|
9
11
|
end
|
10
12
|
|
11
13
|
def authorize
|
12
|
-
|
13
|
-
|
14
|
-
@auth.issue_token
|
15
|
-
@response = response
|
14
|
+
@auth = Authorization::Token.new(pre_auth, resource_owner)
|
15
|
+
if @auth.respond_to?(:issue_token!)
|
16
|
+
@auth.issue_token!
|
16
17
|
else
|
17
|
-
@
|
18
|
+
@auth.issue_token
|
18
19
|
end
|
20
|
+
response
|
19
21
|
end
|
20
22
|
|
21
23
|
def deny
|
22
24
|
pre_auth.error = :access_denied
|
23
|
-
error_response
|
25
|
+
pre_auth.error_response
|
24
26
|
end
|
25
27
|
|
26
28
|
private
|
@@ -30,12 +32,6 @@ module Doorkeeper
|
|
30
32
|
|
31
33
|
IdTokenResponse.new(pre_auth, auth, id_token)
|
32
34
|
end
|
33
|
-
|
34
|
-
def error_response
|
35
|
-
ErrorResponse.from_request pre_auth,
|
36
|
-
redirect_uri: pre_auth.redirect_uri,
|
37
|
-
response_on_fragment: true
|
38
|
-
end
|
39
35
|
end
|
40
36
|
end
|
41
37
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'doorkeeper'
|
2
4
|
require 'active_model'
|
3
5
|
require 'json/jwt'
|
@@ -20,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
|
|
20
22
|
require 'doorkeeper/openid_connect/id_token'
|
21
23
|
require 'doorkeeper/openid_connect/id_token_token'
|
22
24
|
require 'doorkeeper/openid_connect/user_info'
|
25
|
+
require 'doorkeeper/openid_connect/response_mode'
|
23
26
|
require 'doorkeeper/openid_connect/version'
|
24
27
|
|
25
28
|
require 'doorkeeper/openid_connect/helpers/controller'
|
@@ -42,7 +45,7 @@ module Doorkeeper
|
|
42
45
|
|
43
46
|
def self.signing_key
|
44
47
|
key =
|
45
|
-
if [
|
48
|
+
if %i[HS256 HS384 HS512].include?(signing_algorithm)
|
46
49
|
configuration.signing_key
|
47
50
|
else
|
48
51
|
OpenSSL::PKey.read(configuration.signing_key)
|
@@ -61,5 +64,27 @@ module Doorkeeper
|
|
61
64
|
key.slice(:kty, :kid)
|
62
65
|
end
|
63
66
|
end
|
67
|
+
|
68
|
+
if defined?(::Doorkeeper::GrantFlow)
|
69
|
+
Doorkeeper::GrantFlow.register(
|
70
|
+
:id_token,
|
71
|
+
response_type_matches: 'id_token',
|
72
|
+
response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
|
73
|
+
)
|
74
|
+
|
75
|
+
Doorkeeper::GrantFlow.register(
|
76
|
+
'id_token token',
|
77
|
+
response_type_matches: 'id_token token',
|
78
|
+
response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
|
79
|
+
)
|
80
|
+
|
81
|
+
Doorkeeper::GrantFlow.register_alias(
|
82
|
+
'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
|
83
|
+
)
|
84
|
+
else
|
85
|
+
# TODO: drop this and corresponding file when we will set minimal
|
86
|
+
# required Doorkeeper version to 5.5.
|
87
|
+
Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
|
88
|
+
end
|
64
89
|
end
|
65
90
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OpenidConnect
|
3
5
|
module Claims
|
@@ -11,10 +13,10 @@ module Doorkeeper
|
|
11
13
|
name family_name given_name middle_name nickname preferred_username
|
12
14
|
profile picture website gender birthdate zoneinfo locale updated_at
|
13
15
|
],
|
14
|
-
email: %i[
|
15
|
-
address: %i[
|
16
|
-
phone: %i[
|
17
|
-
}
|
16
|
+
email: %i[email email_verified],
|
17
|
+
address: %i[address],
|
18
|
+
phone: %i[phone_number phone_number_verified],
|
19
|
+
}.freeze
|
18
20
|
|
19
21
|
def initialize(options = {})
|
20
22
|
@name = options[:name].to_sym
|
@@ -1,15 +1,17 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Doorkeeper
|
2
4
|
module OpenidConnect
|
3
5
|
def self.configure(&block)
|
4
6
|
if Doorkeeper.configuration.orm != :active_record
|
5
|
-
|
7
|
+
raise Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
|
6
8
|
end
|
7
9
|
|
8
10
|
@config = Config::Builder.new(&block).build
|
9
11
|
end
|
10
12
|
|
11
13
|
def self.configuration
|
12
|
-
@config || (
|
14
|
+
@config || (raise Errors::MissingConfiguration)
|
13
15
|
end
|
14
16
|
|
15
17
|
class Config
|
@@ -23,12 +25,12 @@ module Doorkeeper
|
|
23
25
|
@config
|
24
26
|
end
|
25
27
|
|
26
|
-
def jws_public_key(*
|
27
|
-
puts
|
28
|
+
def jws_public_key(*_args)
|
29
|
+
puts 'DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
|
28
30
|
end
|
29
31
|
|
30
32
|
def jws_private_key(*args)
|
31
|
-
puts
|
33
|
+
puts 'DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
|
32
34
|
signing_key(*args)
|
33
35
|
end
|
34
36
|
end
|
@@ -71,7 +73,7 @@ module Doorkeeper
|
|
71
73
|
value = if attribute_builder
|
72
74
|
attribute_builder.new(&block).build
|
73
75
|
else
|
74
|
-
block
|
76
|
+
block || args.first
|
75
77
|
end
|
76
78
|
|
77
79
|
@config.instance_variable_set(:"@#{attribute}", value)
|
@@ -102,19 +104,23 @@ module Doorkeeper
|
|
102
104
|
option :subject_types_supported, default: [:public]
|
103
105
|
|
104
106
|
option :resource_owner_from_access_token, default: lambda { |*_|
|
105
|
-
|
107
|
+
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
|
106
108
|
}
|
107
109
|
|
108
110
|
option :auth_time_from_resource_owner, default: lambda { |*_|
|
109
|
-
|
111
|
+
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
|
110
112
|
}
|
111
113
|
|
112
114
|
option :reauthenticate_resource_owner, default: lambda { |*_|
|
113
|
-
|
115
|
+
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
|
116
|
+
}
|
117
|
+
|
118
|
+
option :select_account_for_resource_owner, default: lambda { |*_|
|
119
|
+
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
|
114
120
|
}
|
115
121
|
|
116
122
|
option :subject, default: lambda { |*_|
|
117
|
-
|
123
|
+
raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
|
118
124
|
}
|
119
125
|
|
120
126
|
option :expiration, default: 120
|
@@ -124,6 +130,10 @@ module Doorkeeper
|
|
124
130
|
option :protocol, default: lambda { |*_|
|
125
131
|
::Rails.env.production? ? :https : :http
|
126
132
|
}
|
133
|
+
|
134
|
+
option :end_session_endpoint, default: lambda { |*_|
|
135
|
+
nil
|
136
|
+
}
|
127
137
|
end
|
128
138
|
end
|
129
139
|
end
|